Advisories for Golang/Github.com/Gtsteffaniak/Filebrowser/Backend package

2026

FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info

The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

When users share password-protected files, the recipient can completely bypass the password and still download the file.